Remotely Uninstall ESET Antivirus with PowerShell

Recently, one of the companies that I provide support for switched from using ESET to a new antivirus vendor. The problem is that all of their servers had both ESET File Security and the ESET Remote Administrator Agent installed which needed to be uninstalled before installing the new antivirus agent.

I determined that the following commands could be used to uninstall the applications.

1#Uninstall Eset Remote Administrator Agent
2sc.exe delete eraagentsvc
3msiexec.exe /qn /x {41F12F70-5FA9-43F5-94F4-53B54EB4EEC4}
4
5#Uninstall Eset File Security
6msiexec.exe /qn /x {22ED011A-E075-4D3D-AE41-E00F4372470A}

Running msiexec.exe /? shows the available options.

eset-uninstall1a.png

Based on this information, it appears that /x is to uninstall and /qn is for no user input. The uninstall of ESET File Security using the previous commands that I provided cause the system to reboot automatically. There appears to be a switch for msiexec.exe to suppress the reboot, but it's not something that I tried since the removal process does indeed require a restart.

I initially wrapped those commands inside of the Invoke-Command cmdlet to remotely remove those two applications, but the problem that I ran into is the remoting session didn't wait long enough for the uninstall to complete before ending the session.

The solution was to use Get-Process inside of Invoke-Command with the Wait parameter to allow the uninstall to complete before the remoting session ended.

 1#Uninstall Eset - Warning: This will reboot the server when complete
 2Invoke-Command -ComputerName Server01, Server02, Server03 {
 3
 4    #Uninstall Eset Remote Administrator Agent
 5    Start-Process 'sc.exe' -ArgumentList 'delete eraagentsvc' -Wait
 6    Start-Process 'msiexec.exe' -ArgumentList '/qn /x {41F12F70-5FA9-43F5-94F4-53B54EB4EEC4}' -Wait
 7
 8    #Uninstall Eset File Security
 9    Start-Process 'msiexec.exe' -ArgumentList '/qn /x {22ED011A-E075-4D3D-AE41-E00F4372470A}' -Wait
10
11} -Credential (Get-Credential)

You could use Get-Content to read from a list of server names in a text file or Get-ADComputer to read server names from Active Directory.

You could also query the event logs of those remote servers to verify that the applications were indeed uninstalled.

1Invoke-Command -ComputerName Server01, Server02, Server03 {
2    Get-WinEvent -FilterHashtable @{LogName = 'Application'; ID = '1034'; ProviderName = 'MsiInstaller'; StartTime = (Get-Date).AddDays(-1)}
3} -Credential (Get-Credential)

While Get-WinEvent has a ComputerName parameter, it's much more likely that it will be blocked by a firewall on your network or that the necessary ports to use it won't be open on the server that you're querying. You'll avoid these problems by wrapping it inside of Invoke-Command instead. This also allows all of the remote systems to be queried at once (up to 32 at once by default) instead of one at a time.

µ